I only skimmed the first few pages, but got the impression that paper says "GPU architecture is different that modern CPUs, especially around memory layout/protection" and it isn't immediately clear to me where responsibility for any vulnerability lies. Is
it simply not possible to write memory-corruption-proof code for GPUs?

Regardless, I have no problem with issuing CVE IDs for hardware vulnerabilities. I'm just claiming that they are rare, and usually involve low-level software.